There are two kinds of privacy in software: privacy by policy, and privacy by architecture.
Privacy by policy means the service provider holds your data and the keys to look at it. They may promise not to look, but technically, they can. You are trusting their organization, their employees, and their government not to compel them to look. Privacy is contingent on their restraint.
Privacy by architecture means the service provider cannot look at your data because they do not have the keys. The data may be encrypted in a way that they cannot decrypt, or hosted on your server that they cannot access. Even if they wanted to look, or were compelled to by a court, they couldn't.
One requires trust. The other does not.
Enterprises often demand architectural privacy. For consumers, architectural privacy is often treated as a luxury and locked behind expensive premium pricing tiers. (Eg via features like self-hosting, end-to-end encryption, and bring your own key.) Providers essentially say: "Trusting us is free. Removing the need for trust costs extra."
We reject this.
We believe architectural privacy is the baseline. Privacy that depends on our restraint is not equivalent to privacy that's ontologically yours. You might choose our cloud for convenience, but your sovereignty isn't ours to sell.
On Relay, self-hosting is free. The programmatic guarantee that we cannot access your data is available on every plan. We charge for the convenience and infrastructure we provide. We do not charge for the architecture that guarantees your privacy.
Matt O'Brien & Daniel Grossmann-Kavanagh ยท 2025-11-26